diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index e8d63b7..cbc0188 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -1945,6 +1945,15 @@ monitor_apache_logs() { # CRITICAL FIX: Write to file for cross-process communication write_ip_data_to_file "$ip" "$new_score|$curr_hits|$curr_bot|$curr_attacks|$curr_ban|$curr_rep" 2>/dev/null & + # CRITICAL: Immediate block for severe threats (RCE, WEBSHELL, etc.) + if [[ "$et_attack_types" =~ (RCE|WEBSHELL|ECOMMERCE_EXPLOIT) ]]; then + # These are ALWAYS critical - block immediately regardless of score + echo "[CRITICAL] INSTANT_BLOCK_RCE | $ip | Score:$et_attack_score | Attacks:$et_attack_types" >> "$TEMP_DIR/recent_events" + if type quick_block_ip &>/dev/null; then + quick_block_ip "$ip" "CRITICAL_RCE: $et_attack_types" & + fi + fi + # Check rate anomaly if type record_request &>/dev/null && type detect_rate_anomaly &>/dev/null; then record_request "$ip" diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh index f21a73b..cc38917 100755 --- a/modules/security/live-attack-monitor.sh +++ b/modules/security/live-attack-monitor.sh @@ -1974,6 +1974,15 @@ monitor_apache_logs() { # Update IP data with ET-based score IP_DATA[$ip]="$new_score|$curr_hits|$curr_bot|$curr_attacks|$curr_ban|$curr_rep" + # CRITICAL: Immediate block for severe threats (RCE, WEBSHELL, etc.) + if [[ "$et_attack_types" =~ (RCE|WEBSHELL|ECOMMERCE_EXPLOIT) ]]; then + # These are ALWAYS critical - block immediately regardless of score + echo "[CRITICAL] INSTANT_BLOCK_RCE | $ip | Score:$et_attack_score | Attacks:$et_attack_types" >> "$TEMP_DIR/recent_events" + if type quick_block_ip &>/dev/null; then + quick_block_ip "$ip" "CRITICAL_RCE: $et_attack_types" & + fi + fi + # Check rate anomaly if type record_request &>/dev/null && type detect_rate_anomaly &>/dev/null; then record_request "$ip"